loading...

Discussion on: Bundle your Node app to a single executable for Windows, Linux and OsX

Collapse
petermbenjamin profile image
Peter Benjamin

Please, don't recommend pkg, or any bundling/packaging technique, as a security/privacy control.

If you need to protect sensitive/secret data (e.g. passwords, API tokens), you can use one of many symmetric (e.g. AES-256) or asymmetric (RSA) encryption algorithms.

Alternatively, there are developer tools that aim to solve this problem in a more developer friendly way than you having to manage public/private keys yourself. I personally like Hashicorp Vault.

Collapse
jochemstoel profile image
Jochem Stoel Author

You are right. Please let me point out that I was not recommending pkg as a security protocol but listing it as one of the reasons people ask me how to use it.

edit: additionally, is there any Windows equivalent of what you're doing in the example with strings?

Thread Thread
petermbenjamin profile image
Peter Benjamin

I was not recommending pkg as a security protocol but listing it as one of the reasons people ask me how to use it.

The way you're presenting the topic implies that you're suggesting bundling/packaging applications for these use-cases.

is there any Windows equivalent of what you're doing in the example with strings?

superuser.com/questions/124081/is-...

Thread Thread
jochemstoel profile image
Jochem Stoel Author

Say Peter, how would you go about making your code unreadable then if this is not the way? Simply obfuscate it? That does not do a well enough job in my opinion.

Thread Thread
petermbenjamin profile image
Peter Benjamin

It depends on what you're trying to accomplish.

If you're trying to make your code "unreadable", then obfuscation is what you're looking for. Keep in mind, obfuscation does not make your code "secure". There are such thing as deobfuscators.

If you want to "secure" your source code, well, there is little you can do in this area for the following reasons:

  • Dynamic languages are easily accessible/readable.
  • Compiled languages that compile to intermediate byte-code can be decompiled:
  • Compiled languages that compile to machine native code can be disassembled (i.e. translated to assembly)
Thread Thread
jsloop42 profile image
jsloop42

You can open the binary in Ollydbg on Windows and search for strings. It will be visible as plain text. But the source code itself will be in assembly, because we are decompiling a native code.

On macOS, you can view using the free version of Hopper disassembler.